{ "id": "7aac6992-6f2f-408a-8b71-daaf4ac8bc30", "created_at": "2026-04-06T00:15:39.625067Z", "updated_at": "2026-04-10T03:37:50.651121Z", "deleted_at": null, "sha1_hash": "f9428e66aa352db1855fa1c9f52903736256ed07", "title": "APT28’s Campaign Leveraging CVE‑2026‑21509 and Cloud C2 Infrastructure", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 778185, "plain_text": "APT28’s Campaign Leveraging CVE‑2026‑21509 and Cloud C2\r\nInfrastructure\r\nArchived: 2026-04-05 14:27:19 UTC\r\nThis blog is written in collaboration with Trellix\r\nUpdated February 9, 2026: This analysis has been updated to clarify malware naming conventions.\r\nIntroduction\r\nRussian state-sponsored threat group APT28 (aka Fancy Bear or UAC-0001) has launched a sophisticated espionage\r\ncampaign targeting European military and government entities, specifically targeting maritime and transport organizations\r\nacross Poland, Slovenia, Turkey, Greece, the UAE, and Ukraine. The attackers weaponized a newly disclosed Microsoft\r\nOffice 1-day (CVE-2026-21509) within 24 hours of its public revelation, using spear-phishing documents to compromise\r\nUkrainian government agencies and EU institutions [1]. This campaign features a multi-stage infection chain and novel\r\npayloads, including a simple initial loader, an Outlook VBA backdoor (NotDoor), and a modified Covenant implant\r\n(\"CovenantGrunt\" [7]). The threat actors abuse legitimate cloud storage (filen.io) as command-and-control (C2)\r\ninfrastructure, blending malicious traffic with normal user activity.\r\nInfection chain overview\r\nAPT28's attack begins with spear-phishing emails containing weaponized documents that exploit CVE-2026-21509, a\r\nMicrosoft Office security feature bypass vulnerability. This vulnerability was addressed by an urgent, out-of-band security\r\nupdate. When victims open these malicious documents, the exploit triggers automatically without requiring macros or user\r\ninteraction. The vulnerability allows embedded OLE objects to execute by leveraging the WebDAV protocol to fetch\r\nexternal payloads from attacker-controlled infrastructure.\r\nThe initial exploitation downloads a malicious LNK shortcut and first-stage loader DLL, which establishes the foundation\r\nfor a sophisticated multi-stage infection chain. The loader either extracts an encrypted PNG image file containing shellcode,\r\nwhich it decrypts and executes CovenantGrunt in memory, or drops VbaProject.OTM for NotDoor payload. This shellcode\r\nloads a .NET-based payload that performs key exchange operations with cloud storage infrastructure.\r\nThe entire chain is designed for resilience and evasion, utilizing encrypted payloads, legitimate cloud services for C2, in-memory execution, and process injection to minimize forensic artifacts. This multi-layered approach demonstrates APT28's\r\nevolved tradecraft in maintaining persistent access while evading detection across enterprise environments.\r\nFigure 1: Multi-stage infection chain employed by APT28. The exploit in the document leads to a staged malware execution\r\nflow, culminating in an in-memory Covenant backdoor beaconing to cloud storage.\r\nPhishing lures and social engineering\r\nThe adversary orchestrated a concentrated 72-hour spear-phishing campaign (January 28-30, 2026), delivering at least 29\r\ndistinct emails across nine Eastern European nations, primarily targeting defense ministries (40%), transportation/logistics\r\noperators (35%), and diplomatic entities (25%). These emails originated from compromised government accounts of\r\nmultiple countries, including Romania, Bolivia, and Ukraine.\r\nhttps://strikeready.com/blog/apt28s-campaign-leveraging-cve%E2%80%912026%E2%80%9121509-and-cloud-c2-infrastructure/\r\nPage 1 of 9\n\nThe lures exploited 4 geopolitically-charged narratives: transnational weapons smuggling alerts (45% of emails)\r\nimpersonating a Central European border security agency warning of \"200 RPG-7 rounds in transit from Syria via Ukraine\"\r\nwith fabricated courier identities; “military training program invitations”(25%) spoofing a regional defense university with\r\nprofessional signature blocks and time-sensitive enrollment deadlines; EU/NATO diplomatic consultations (20%)\r\nmasquerading as high-level parliamentary requests for policy positions on the Ukraine conflict; and meteorological\r\nemergency bulletins abusing compromised national weather service infrastructure to disseminate fabricated flood warnings.\r\nFigure 2: Phishing email and decoys\r\nWe identified an orthographic inconsistency - alternating usage of \"Boarder Police\" versus \"Border Police\" across\r\ntemporally-clustered messages, consistent with distributed APT taskings where non-native English speakers independently\r\ncrafted lure variants. All emails carried weaponized RTF/DOC attachments (e.g., BULLETEN_H.doc, Courses.doc,\r\nOperInformativ_163.doc) exploiting CVE-2026-21509, with decoy content meticulously replicating authentic government\r\ncommunication aesthetics, which could potentially be based on real, previously stolen documents, including official\r\nletterheads, bilingual formatting (Romanian/English, Ukrainian/English), color-coded hazard maps, and ministerial seals/-\r\nvisual elements designed to exploit institutional trust mechanisms and circumvent user suspicion during the critical file-open\r\ndecision point.\r\nExploitation and initial loader (“SimpleLoader”)\r\nThe spear-phishing document uses the CVE-2026-21509 exploit to achieve code execution as soon as it is opened.\r\nAccording to Microsoft, CVE-2026-21509 allows an attacker to bypass Office’s OLE security restrictions, exposing unsafe\r\nCOM controls to execution [6]. In practical terms, APT28’s malicious documents embedded a specially crafted OLE object\r\n(for instance, a Shell.Explorer ActiveX control) that automatically retrieves the next-stage payload over HTTP/WebDAV.\r\nhttps://strikeready.com/blog/apt28s-campaign-leveraging-cve%E2%80%912026%E2%80%9121509-and-cloud-c2-infrastructure/\r\nPage 2 of 9\n\nFigure 3: RTF Object Linking and Embedding (OLE) Exploitation via Shell.Explorer.1 in the malicious attachment\r\nThe downloaded LNK’s execution results in a SimpleLoader DLL loaded.\r\nThe infection chain deploys SimpleLoader which utilizes three distinct XOR encryption schemes: simple single-byte XOR\r\n(0x43) for mutex generation, alternating-byte XOR with null padding for path strings, and a 76-character rotating XOR key\r\nfor embedded payload decryption. Upon execution in the steganography loader, the loader establishes a single-instance\r\nmutex and initiates its dropper routine, which writes three files to disk: the primary payload (EhStoreShell.dll) to\r\n%PROGRAMDATA%\\USOPublic\\Data\\User\\, a scheduled task configuration XML to the user's temp directory, and an\r\nencrypted-payload PNG file mimicking legitimate OneDrive installation artifacts.\r\nPersistence is achieved through COM object hijacking targeting CLSID {D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}. The loader creates a scheduled task named \"OneDriveHealth\" that triggers 60 seconds post-registration, executing a command sequence that terminates explorer.exe, relaunches it (triggering the hijacked COM object\r\nload above), and self-deletes the scheduled task. Once loaded into the new explorer.exe process, EhStoreShell.dll establishes\r\nC2 communication with filen.io.\r\nThe steganography loader (EhStoreShell.dll) executes anti-analysis routines, including a three-second sleep with timing\r\nvalidation (≥2.9s threshold) to detect sandbox time acceleration and process name verification to ensure execution within\r\nexplorer.exe. The loader decrypts embedded strings using single-byte XOR (key 0x43) and resolves ten Windows APIs\r\nthrough hash-based lookups. Following successful validation, the loader locates and processes `SplashScreen.png` dropped\r\nearlier. The malware implements a complete PNG decoder consisting of ten specialized functions handling IHDR header\r\nparsing, PLTE palette extraction, IDAT chunk decompression via zlib inflation, Huffman table construction, and Adam7\r\ninterlacing, ultimately extracting a.NET loader shellcode concealed within the image's data chunks.\r\nFigure 4: EhStoreShell.dll’s anti-analysis routines\r\nThe extracted shellcode functions as a fileless .NET assembly bootstrap mechanism that directly invokes the Common\r\nLanguage Runtime without touching disk. Utilizing Process Environment Block (PEB) traversal to resolve APIs\r\ndynamically (bypassing the Import Address Table), the shellcode loads `MSCOREE.DLL` and `OLEAUT32.DLL`, then\r\ninvokes `CLRCreateInstance` to initialize the .NET runtime within the compromised explorer.exe process.\r\nPost-exploitation payloads: CovenantGrunt with cloud-based C2\r\nFollowing successful shellcode execution, the infection chain progresses to a staged .NET loader (\"Publish\"- modified\r\nCovenant backdoor) that implements cryptographic handshake protocol with the adversary's command infrastructure: 2048-\r\nbit RSA key pair. The operator's C2-monitoring the base folder UUID on filen.io -detects the new victim registration,\r\ngenerates a cryptographically random 32-byte AES-256 session key, encrypts it with the victim's RSA public key, and\r\nuploads the encrypted session key back to the victim's dedicated subfolder. Upon receiving this response, the victim decrypts\r\nthe session key using its private RSA key, then engages in a challenge-response exchange to prove the handshake. Once the\r\nhttps://strikeready.com/blog/apt28s-campaign-leveraging-cve%E2%80%912026%E2%80%9121509-and-cloud-c2-infrastructure/\r\nPage 3 of 9\n\nhandshake completes successfully, the loader downloads the encrypted Covenant Grunt assembly, decrypts it using the\r\nnewly established session key, and executes it via Assembly.Load() with reflection-based method invocation targeting the\r\n[DisplayName(\"Invite\")] attribute, achieving completely fileless execution.\r\nThe Covenant Grunt implant was reengineered to utilize filen.io cloud storage. The .NET assembly implements 4 core\r\ncomponents: `FilenApi` (complete REST API client for filen.io's gateway, ingest, and egest endpoints across 24\r\nsubdomains), `FilenMessenger` (implements the IMessenger interface for polling and uploading encrypted task files),\r\n`FilenEncryptor` (provides AES-256-GCM encryption with per-file nonces and HMAC-SHA256 integrity verification), and\r\n`GruntExecutor` (task execution engine supporting .NET assembly loading, PowerShell execution, and output streaming\r\nthrough anonymous pipes). The implant encrypts results with AES-256-CBC plus HMAC-SHA256, and uploads them back\r\nto the folder where the threat actor retrieves and processes them.\r\nAnalysis of the compromised filen.io infrastructure revealed the operational scale of this campaign: confirmed victims\r\ndistributed across at least two accounts (fiscalizacionycontrol@cordoba.gov.ar and jannet.stillman@outlook.com). Post-exploitation capabilities include system reconnaissance (arp.exe, systeminfo.exe, tracert.exe), process injection into\r\nsvchost.exe for persistence, and preparation for lateral movement,-all executed through dynamically loaded .NET assemblies\r\nthat leave no disk-based forensic artifacts beyond memory resident code injection.\r\n“NotDoor” Outlook backdoor variant\r\nInfrastructure: APT28’s campaign stands out for its heavy abuse of legitimate cloud services. In this 2026 wave, filen.io –\r\na cloud storage provider – serves as the core C2 channel for the CovenantGrunt implants. All beaconing and tasking occurs\r\nvia HTTPS requests to filen.io API endpoints, appearing as normal cloud storage traffic. Earlier related operations used\r\nKoofr and Icedrive for C2, indicating APT28’s flexibility in swapping out cloud platforms [2].\r\nThe VBA macro itself implements email surveillance through dual automatic triggers: `Application_MAPILogonComplete`\r\nexecutes upon Outlook login, while `Application_NewMailEx` activates instantly upon new message arrival for real-time\r\nforwarding. The exfiltration logic systematically enumerates 4 folder types (Inbox, Drafts, Junk Mail, RSS Feeds),\r\nprocessing up to 10 messages per folder per execution. For each unprocessed email, the macro invokes the native Outlook\r\nobject model to save the complete message (headers, body, attachments, metadata) as a `.msg` file to\r\n`%TEMP%\\temp_email.msg`, creates a new forwarding message with the original attached, and transmits it to two\r\nadversary-controlled addresses via standard SMTP. Furthermore, it marks processed emails with a custom\r\n\"AlreadyForwarded\" property to prevent duplicate transmissions, sets `DeleteAfterSubmit = True` to automatically purge\r\nforwarded messages from the Sent Items folder. This technique proves particularly effective against organizations with\r\ndiplomatic or government email systems, where high-privilege accounts receive sensitive policy documents, classified\r\ncables, and strategic communications-precisely the intelligence targets consistent with APT28's collection priorities.\r\nInfrastructure and TTPs\r\nInfrastructure: APT28’s campaign stands out for its heavy abuse of legitimate cloud services. In this 2026 wave, filen.io –\r\na cloud storage provider – serves as the core C2 channel for the Covenant/BeardShell implants. All beaconing and tasking\r\noccurs via HTTPS requests to filen.io API endpoints, appearing as normal cloud storage traffic. Earlier related operations\r\nused Koofr and Icedrive for C2, indicating APT28’s flexibility in swapping out cloud platforms [2].\r\nIn terms of delivery, the initial stage relied on compromised or attacker-registered web servers hosting the malicious\r\ndocuments and LNKs. For example, domains like wellnessmedcare[.]org, wellnesscaremed[.]com,\r\nfreefoodaid[.]com, and longsauce[.]com were used to host and deliver the Office exploits (possibly as part of the\r\nWebDAV fetch and as decoy content) – see IoC table below. The threat actors moved quickly, even registering new domains\r\nthe same day they were used in attacks, reflecting a highly agile operation.\r\nAttribution to APT28\r\nThis campaign is attributed to APT28 with high confidence based on technical indicators and victimology. CERT-UA\r\nofficially attributed the January 2026 attacks to threat actor UAC-0001 [1], which corresponds to APT28 (Fancy Bear), a\r\nunit of Russia’s GRU military intelligence. In the past, APT28 swiftly weaponized Office vulnerabilities and was among the\r\nfirst to use them in the wild, demonstrating a capability for 0-day or n-day exploitation that few groups possess at this level.\r\nAPT28 has a long history of cyber espionage and influence operations. The tradecraft in this campaign – multi-stage\r\nmalware, extensive obfuscation, abuse of cloud services, and targeting of email systems for persistence – reflects a well-resourced, advanced adversary consistent with APT28’s profile. The toolset and techniques also align with APT28’s\r\nfingerprint. The use of COM hijacking for persistence and macro-enabled Outlook backdoors (NotDoor) are TTPs recently\r\ntied to APT28 operations targeting European organizations. The BeardShell malware has been explicitly attributed to APT28\r\nby Ukrainian authorities and security researchers. These implants, along with the Covenant framework, were all found in\r\nincidents responded by CERT-UA and partners, linking them to the same adversary. Furthermore, the focus on Ukrainian\r\ngovernment and military bodies, as well as NATO-aligned targets, strongly correlates with APT28’s strategic interests over\r\nthe past decade (especially post-2022 invasion of Ukraine).\r\nhttps://strikeready.com/blog/apt28s-campaign-leveraging-cve%E2%80%912026%E2%80%9121509-and-cloud-c2-infrastructure/\r\nPage 4 of 9\n\nCode analysis indicates that this steganography loader exhibits 47 unknown, 10 malicious, and 542 benign components,\r\naccording to analysis from Threatray. Furthermore, 10 malicious functions align with the reference Beadshell malware\r\nloader 88e28107fbf171fdbcf4abbc0c731295549923e82ce19d5b6f6fefa3c9f497c9 previously reported by Sekoia [3].\r\nAddress Function Name Matching Address\r\n0x180008600 mal_png_master_decoder 0x18000b310\r\n0x180007f60 mal_png_itxt_parser 0x18000ad20\r\n0x1800052b0 mal_png_adam7_interlace 0x180008230\r\n0x1800047e0 mal_png_plte_parser 0x180007750\r\n0x180004510 mal_png_ihdr_parser 0x180007470\r\n0x180004230 mal_png_chunk_parser 0x180007190\r\n0x180004000 mal_png_text_storage 0x180006f90\r\n0x180003240 mal_crc32_calculate 0x180006120\r\n0x180002440 mal_zlib_inflate_decompress 0x1800054c0\r\n0x180001f30 mal_huffman_table_builder 0x180004fc0\r\nWhile attribution in cyberspace can be challenging, in this case the convergence of indicators (including code overlaps,\r\ninfrastructure reuse, and timing) makes a compelling case that the Russian GRU-linked APT28 is behind the campaign.\r\nConclusion\r\nAPT28’s latest campaign underscores the group’s technical prowess and adaptability. By integrating a fresh Office exploit,\r\nmulti-layered loaders, cloud-based C2 channels, and even an Outlook backdoor, APT28 continues to expand its arsenal for\r\ninfiltrating high-value targets. The use of CVE-2026-21509 demonstrates how quickly state-aligned actors can weaponize\r\nnew vulnerabilities, shrinking the window for defenders to patch critical systems. The campaign’s modular infection chain –\r\nfrom initial phish to in-memory backdoor to secondary implants was carefully designed to leverage trusted channels\r\n(HTTPS to cloud services, legitimate email flows) and fileless techniques to hide in plain sight.\r\nAttribution to APT28 is reinforced by the continuity in their tactics: early observations by CERT-UA and others tie these\r\nactivities back to the same unit behind prior operations like the Signal Messenger lures (BeardShell/Covenant) and the\r\nNotDoor Outlook backdoor [4][5]. This consistency provides valuable intelligence on APT28’s evolving toolkit.\r\nOrganizations are urged to apply the latest Office patches (including the emergency fix for CVE-2026-21509) and\r\nimplement Microsoft’s recommended registry hardening that blocks this OLE exploit path [6].\r\nDefending against such an advanced threat requires a defense-in-depth approach. User awareness is crucial, as highly\r\nconvincing lures are in play. The MITRE ATT\u0026CK mapping above can guide threat hunting for specific techniques like\r\nCOM hijacks and macro abuse. Trellix Email Security and IVX sandbox proactively stopped this zero-day campaign by\r\nemploying a generic signature that identified the malicious attachment's behavior.\r\nTrellix detection\r\nProduct Signature\r\nTrellix Network Security Trellix VX\r\nTrellix Cloud MVX\r\nTrellix File Protect\r\nTrellix Malware Analysis\r\nTrellix SmartVision\r\nTrellix Email Security\r\nTrellix Detection As A Service\r\nTrellix NX\r\nMalware.Binary.doc\r\nScript.Trojan-Downloader.Agent.BNX\r\nMITRE ATT\u0026CK techniques mapped\r\nThe following table maps key techniques observed in this APT28 campaign to the corresponding MITRE ATT\u0026CK tactics\r\nand technique IDs:\r\nhttps://strikeready.com/blog/apt28s-campaign-leveraging-cve%E2%80%912026%E2%80%9121509-and-cloud-c2-infrastructure/\r\nPage 5 of 9\n\nTactical Goal ATT\u0026CK Technique (Technique ID) Implementation Details\r\nInitial Access T1566.001 Phishing: Spearphishing Attachment\r\nWeaponized RTF documents with CVE-2026-\r\n21509 exploit\r\nInitial Access T1199 Trusted Relationship\r\nCompromised Slovak and Bolivian\r\ngovernment accounts\r\nInitial Access T1189 Drive-by Compromise\r\nAutomatic remote content download via\r\nCVE-2026-21509\r\nExecution T1203 Exploitation for Client Execution CVE-2026-21509 exploitation\r\nExecution T1204.002 User Execution: Malicious File User opens RTF document\r\nExecution T1218.011 System Binary Proxy: Rundll32 DLL execution via rundll32.exe\r\nExecution\r\nT1059.003 Command and Scripting Interpreter:\r\nWindows Command Shell\r\ncmd.exe for orchestration\r\nPersistence\r\nT1546.015 Event Triggered Execution:\r\nComponent Object Model Hijacking\r\nCLSID {D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D} hijacked\r\nPersistence T1053.005 Scheduled Task/Job\r\n\"OneDriveHealth\" scheduled task\r\n(temporary)\r\nPersistence T1137.001 Office Application Startup Outlook VBA macro (NotDoor persistence)\r\nDefense Evasion T1027 Obfuscated Files or Information\r\nTriple XOR encryption (Simple, Alternating-byte, 34-char rotating)\r\nCollection T1114 Email Collection\r\nNotDoor: Automated diplomatic email\r\ncollection from Outlook\r\nExfiltration T1048 Exfiltration Over Alternative Protocol\r\nNotDoor: Email forwarding as exfiltration\r\nchannel\r\nDefense Evasion T1055 Process Injection Injects into explorer.exe via COM\r\nDefense Evasion T1070.004 Indicator Removal: File Deletion\r\nDeletes scheduled task after persistence\r\nestablished\r\nDefense Evasion T1140 Deobfuscate/Decode Files or Information Runtime XOR decryption\r\nDefense Evasion\r\nT1497.003 Virtualization/Sandbox Evasion: Time\r\nBased Evasion\r\n3-second sleep with timing validation\r\nCredential\r\nAccess\r\nT1528 Steal Application Access Token\r\nGovernment account compromise (Slovak,\r\nBolivian)\r\nDiscovery T1082 System Information Discovery Queries system information\r\nDiscovery T1057 Process Discovery Checks for explorer.exe\r\nCommand and\r\nControl\r\nT1102 Web Service filen[.]io cloud storage for C2\r\nCommand and\r\nControl\r\nT1071.001 Application Layer Protocol: Web\r\nProtocols\r\nHTTPS/TLS for C2\r\nCommand and\r\nControl\r\nT1573.001 Encrypted Channel: Symmetric\r\nCryptography\r\nAES-256-GCM/CBC encryption\r\nCommand and\r\nControl\r\nT1090.003 Proxy: Multi-hop Proxy Multiple filen[.]io gateway domains\r\nExfiltration\r\nT1567.002 Exfiltration Over Web Service: Cloud\r\nStorage\r\nDiplomatic data exfiltration via filen[.]io\r\nExfiltration T1020 Automated Exfiltration Automated via Covenant Grunt\r\nIndicators of Compromise (IoCs)\r\nFile Hashes – Malicious Documents \u0026 Malware\r\nhttps://strikeready.com/blog/apt28s-campaign-leveraging-cve%E2%80%912026%E2%80%9121509-and-cloud-c2-infrastructure/\r\nPage 6 of 9\n\nFile Name MD5 Hash SHA-256 Hash\r\n1301.doc b6a86f44d0a3fa5a5ac979d691189f2d 969d2776df0674a1cca0\r\n5a17cfaea0cc3a82242fdd11b53140c0b56256d769b07c33757d61e0a0a6ec02.doc 4727582023cd8071a6f388ea3ba2feaa 5a17cfaea0cc3a82242fd\r\nConsultation_Note_Ministry_of_Defense_Bolivia(Final).doc 1550ae7df233bb9a9c9e78bf8b236072 e792adf4dff54faca5b9f5\r\nConsultation_Topics_Ukraine(Final).doc 045d1e0686f8b4b49b2d9cf48ac821f8 d213b5079462e737eb94\r\nCourses.doc 2f7b4dca1c79e525aef8da537294a6c4 1ed863a32372160b3a25\r\nOper Informativ Possible International Weapons.doc 0df3fde016f3c0974d4aa01b06724a33 968756e62052f9af80934\r\nOperInfConsdin Siria \u0026icirc;n Rom\u0026acirc;nia 145.doc 4727582023cd8071a6f388ea3ba2feaa 5a17cfaea0cc3a82242fd\r\nOperInformation.doc 6408276cdfd12a1d5d3ed7256bfba639 baad1153e58c86aa1dc9\r\nOperInformativ_163.doc 41c51784f6d601ffd0e09b7d59ff6025 b7342b03d7642c894eba\r\nЗапитання для інтерв'ю (1).doc 58f517bdc9ba8de1b69829b0dcf86113 be859b4f4576ec09b69a\r\nBULLETEN_H.doc 7c396677848776f9824ebe408bbba943 c91183175ce77360006f\r\n1291.doc d47261e52335b516a777da368208ee91 fd3f13db41cd5b442fa26\r\nInternational Weapons Smuggling from Syria to Europe 51.doc c306e0a3ec528368f0b0332104148266 8b0ab7f7f48bf847c3af5\r\nBULLETEN_H.doc 7c396677848776f9824ebe408bbba943 c91183175ce77360006f\r\nSimpleLoader 859c4b85ed85e6cc4eadb1a037a61e16 0bb0d54033767f081cae\r\nEhStoreShell.dll e4a5c4b205e1b80dc20d9a2fb4126d06 a876f648991711e44a8d\r\nVbaProject.OTM 337cecf067ecf0609b943b54fb246ed2 7ccf7e8050c66eed69f35\r\nNetwork Indicators – Domains and IPs\r\nDomain IP Address\r\nwellnesscaremed[.]com 23.227.202[.]14\r\nwellnessmedcare[.]org 193.187.148[.]169\r\nfreefoodaid[.]com 159.253.120[.]2\r\nlongsauce[.]com 72.62.185[.]31\r\nEmail-based C2 (NotDoor Exfiltration)\r\nEmail Address Provider\r\nchmilewskii@outlook[.]com Microsoft Outlook\r\nchmilewskii@proton[.]me ProtonMail\r\nFilen[.]io Cloud Storage Accounts\r\nEmail API Key\r\njannet.stillman@outlook[.]com s_zTx8oEG3MySPkv0EJH8N-TKNU8fzpm9d2BRYzXq_lbEFTruBAs-Of0sdrYd3vU\r\nfiscalizacionycontrol@cordoba.gov[.]ar nJlCvhtYI4CS4XrB0T5vsrUMF6T83GuZxtH8gFeQQDSf0be4QMDBQ4vblYVWTz7o\r\nnagipeterson@emailasso.net OgaBSQfSJaNtNlb7_SY9UOCzh-NgJFGgep2yyHyxCtQUUkckr3N5CFBy3ehTgb3K\r\nMalicious URLs (Embedded in RTF Documents)\r\nURL\r\nhttp://wellnessmedcare[.]org/cz/Downloads/blank.doc\r\nhttps://wellnessmedcare[.]org/cz/Downloads/document.LnK?init=1\r\nhttp://wellnesscaremed[.]com/buch/Downloads/blank.doc\r\nhttps://strikeready.com/blog/apt28s-campaign-leveraging-cve%E2%80%912026%E2%80%9121509-and-cloud-c2-infrastructure/\r\nPage 7 of 9\n\nhttps://wellnesscaremed[.]com/buch/Downloads/document.doc.LnK?init=1\r\nhttps://freefoodaid[.]com/documents/1_1.LnK?init=1\r\nhttp://freefoodaid[.]com/documents/2_1.lNk?init=1\r\nhttps://freefoodaid[.]com/tables//template_tables.doc\r\nhttps://freefoodaid[.]com/tables/tables.lNk?init=1\r\nhttp://wellnesscaremed[.]com/ankara/Favorites/blank.doc\r\nhttps://wellnesscaremed[.]com/ankara/Favorites/document.doc.LnK?init=1\r\nhttps://longsauce[.]com/DAv/DEFault/data.LnK?init=1\r\nhttps://longsauce[.]com/DAv/DEFault/df.doc\r\nhttp://wellnesscaremed[.]com/venezia/Favorites/blank.doc\r\nhttps://wellnesscaremed[.]com/venezia/Favorites/document.doc.LnK?init=1\r\nhttp://wellnessmedcare[.]org/pol/Downloads/blank.doc\r\nhttps://wellnessmedcare[.]org/pol/Downloads/document.LnK?init=1\r\nhttp://wellnesscaremed[.]com/ljub/Downloads/blank.doc\r\nhttps://wellnesscaremed[.]com/ljub/Downloads/document.doc.LnK?init=1\r\nHost-based Indicators\r\nFile Paths (BEARDSHELL Chain)\r\nC:\\ProgramData\\USOPublic\\Data\\User\\EhStoreShell.dll\r\nC:\\ProgramData\\Microsoft OneDrive\\setup\\Cache\\SplashScreen.png\r\nC:\\Users\\*\\AppData\\Local\\Temp\\Diagnostics\\office.xml\r\nFile Paths (NotDoor Chain)\r\n%APPDATA%\\Microsoft\\Outlook\\VbaProject.OTM\r\n%TEMP%\\temp_email.msg\r\nRegistry Keys (BEARDSHELL - COM Hijacking Persistence)\r\nHKCU\\Software\\Classes\\CLSID\\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}\\InProcServer32\r\nRegistry Keys (NotDoor - Outlook Security Bypass)\r\nHKCU\\Software\\Microsoft\\Office\\16.0\\Outlook\\Security\\Level = 1\r\nHKCU\\Software\\Microsoft\\Office\\16.0\\Outlook\\LoadMacroProviderOnBoot = 1\r\nMutex Names\r\nadjgfenkbe (SimpleLoader)\r\ndvyubgbqfusdv32 (BEARDSHELL)\r\nScheduled Task\r\nOneDriveHealth (temporary, deleted after COM persistence established)\r\nProcess Indicators\r\nrundll32.exe tables(1).dll\r\ncmd.exe /c (taskkill /f /IM explorer.exe \u003enul 2\u003e\u00261) \u0026 (start explorer \u003enul 2\u003e\u00261)\r\nschtasks.exe /Create /tn \"OneDriveHealth\"\r\nReferences:\r\n[1] \"Бюлетень небезпеки\": UAC-0001 (APT28) здійснює кібератаки у відношенні України та країн ЄС з\r\nвикористанням експлойту CVE-2026-21509 (CERT-UA#19542).\r\nhttps://cert.gov.ua/article/6287250\r\n[2] Кібератаки UAC-0001 (APT28) у відношенні державних органів із застосуванням BEARDSHELL та COVENANT.\r\nhttps://cert.gov.ua/article/6284080\r\n[3] APT28 Operation Phantom Net Voxel - Sekoia.io Blog.\r\nhttps://blog.sekoia.io/apt28-operation-phantom-net-voxel/\r\nhttps://strikeready.com/blog/apt28s-campaign-leveraging-cve%E2%80%912026%E2%80%9121509-and-cloud-c2-infrastructure/\r\nPage 8 of 9\n\n[4] NotDoor Insights: A Closer Look at Outlook Macros and More - Splunk.\r\nhttps://www.splunk.com/en_us/blog/security/notdoor-insights-a-closer-look-at-outlook-macros-and-more.html\r\n[5] Analyzing NotDoor: Inside APT28’s Expanding Arsenal.\r\nhttps://lab52.io/blog/analyzing-notdoor-inside-apt28s-expanding-arsenal/\r\n[6] Microsoft Office Security Feature Bypass Vulnerability CVE-2026-21509.\r\nhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509\r\n[7] APT28 Leverages CVE-2026-21509 in Operation Neusploit\r\nhttps://www.zscaler.com/fr/blogs/security-research/apt28-leverages-cve-2026-21509-operation-neusploit\r\nSource: https://strikeready.com/blog/apt28s-campaign-leveraging-cve%E2%80%912026%E2%80%9121509-and-cloud-c2-infrastructure/\r\nhttps://strikeready.com/blog/apt28s-campaign-leveraging-cve%E2%80%912026%E2%80%9121509-and-cloud-c2-infrastructure/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://strikeready.com/blog/apt28s-campaign-leveraging-cve%E2%80%912026%E2%80%9121509-and-cloud-c2-infrastructure/" ], "report_names": [ "apt28s-campaign-leveraging-cve%E2%80%912026%E2%80%9121509-and-cloud-c2-infrastructure" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434539, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f9428e66aa352db1855fa1c9f52903736256ed07.pdf", "text": "https://archive.orkl.eu/f9428e66aa352db1855fa1c9f52903736256ed07.txt", "img": "https://archive.orkl.eu/f9428e66aa352db1855fa1c9f52903736256ed07.jpg" } }